Privacy Policy for AI Cookbook
Effective Date: October 5, 2025
Last Modified: October 6, 2025
Introduction
This Privacy Policy ("Policy") governs the manner in which AI Cookbook ("the Platform," "we," "us," or "our"), an individually-owned service based in India, collects, uses, maintains, and discloses information collected from users ("User," "you," or "your") of the AI Cookbook platform.
This Policy applies to the Platform and all products and services offered by AI Cookbook. By accessing or using our Platform, you signify your acceptance of this Policy. If you do not agree to this Policy, you must not use our Platform.
Our Commitment to Your Privacy
We architected AI Cookbook from the ground up with data privacy as a core principle. Our commitment is to provide a secure and trustworthy environment for your creative work. This philosophy can be summarized as follows:
- Minimal Data Collection: We collect only the absolute minimum personal data required for account functionality, security, and service operation.
- No Commercial Exploitation of Data: We will never sell, rent, trade, or share your Personal Data with third parties for their marketing purposes.
- Purpose-Limited Communication: We will only contact you for essential account-related matters, such as security alerts, password recovery, or significant updates to our Platform or policies. We do not send marketing or promotional emails.
- Data Sovereignty: Your generated content remains your own. We will never use your prompts or generated media to train third-party AI models.
- Privacy-Centric Analytics: We utilize cookieless, privacy-first analytics to understand usage trends without compromising individual user privacy.
- Transparent Infrastructure: We are fully transparent about the technologies and sub-processors we use to deliver the service, as detailed in Section 6.
1. Information We Collect and Process
We categorize the information we collect based on its source and nature.
1.1. Data You Voluntarily Provide
- Account Information: When you register for an account, we collect your full name, email address, and a hashed representation of your password. Passwords are never stored in plaintext and are processed using the industry-standard bcrypt hashing algorithm.
- Profile Information: You have the option to provide additional profile information, such as a profile picture and a custom username. The initial username is automatically generated and can be modified by you at any time.
- User-Generated Content (UGC): This includes all data you create or upload to the Platform, such as AI-generated images and videos, textual prompts, and any associated metadata.
- Direct Communications: If you contact us directly for support or feedback, we will retain a record of that correspondence, including your email address and the content of your messages.
1.2. Data Collected Automatically (Operational Data)
To ensure the functionality, security, and performance of the Platform, we automatically collect the following types of data:
- Log Data: Our servers automatically record information created by your use of the services. This Log Data may include your IP address (used transiently for security purposes like rate limiting and abuse prevention, but not stored long-term), browser type, operating system, referring web page, pages visited, location (at the city/country level), and timestamps. This data is used for security auditing, diagnostics, and maintaining service integrity.
- Device Information: We collect information about the device you are using to access the Platform, such as device type and model, to optimize user experience and troubleshoot technical issues.
1.3. Analytics Information (Aggregated & Anonymized)
We utilize Simple Analytics and Umami for website analytics. These are privacy-first services that operate without the use of persistent cookies or user-level tracking. The data collected is strictly aggregated and anonymized, and includes:
- Total page views and unique visits.
- Referrer sources.
- Browser and device types.
- Country of origin.
- No Personally Identifiable Information (PII) is ever collected or stored by our analytics providers.
2. Legal Basis and Purpose of Data Processing
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. For users in jurisdictions such as the European Union (under GDPR), our processing activities are based on the following:
| Purpose of Processing | Data Categories Involved | Legal Basis (GDPR) |
|---|---|---|
| Service Provision & Account Management | Account Information, Profile Information, UGC | Contractual Necessity (to fulfill our Terms of Service) |
| Authentication & Authorization | Email, Hashed Password, OAuth Tokens | Contractual Necessity |
| Content Storage & Retrieval | User-Generated Content | Contractual Necessity |
| Security & Fraud Prevention | Log Data, IP Address (transient) | Legitimate Interest (to protect our Platform and users) |
| Platform Improvement & Optimization | Anonymized Analytics Data | Legitimate Interest (to improve our service offering) |
| Essential Service Communications | Email Address | Legitimate Interest (to inform you of critical security/service updates) |
| OAuth Sign-In | Name, Email, Profile Picture (from provider) | Consent (you explicitly choose to use this sign-in method) |
3. Data Storage, Security, and Technology Infrastructure
We are transparent about our technology stack to provide you with a clear understanding of how and where your data is processed. All operations are executed via Next.js 15 Server Actions, ensuring that business logic and data manipulation occur securely on the server-side, never on the client.
- Hosting: The Platform is hosted on Vercel's infrastructure. Vercel acts as our hosting provider, serving application assets globally.
- Database, Authentication, & Storage: We utilize Supabase as our primary backend provider.
- Database: Your Account Information, Profile Information, and UGC metadata are stored in a Supabase PostgreSQL database.
- Authentication: Supabase manages user authentication, including secure password hashing (bcrypt) and the OAuth 2.0 flow for Google and GitHub sign-ins. OAuth access tokens are handled securely for session management and are not stored long-term.
- Storage: All uploaded files, including profile pictures and UGC, are stored in Supabase Storage Buckets.
- Data Security Measures:
- Encryption in Transit: All data transmitted between your client and our servers is encrypted using HTTPS/TLS 1.2 or higher.
- Encryption at Rest: Data stored within Supabase's infrastructure is encrypted at rest.
- Access Control: We enforce strict access controls on our database. We utilize PostgreSQL Row-Level Security (RLS) to ensure that a user can only query and access their own data. All file access requests are validated server-side via Next.js Server Actions against RLS policies, preventing unauthorized access even if a direct file URL is known.
- Email Delivery: Transactional emails (e.g., password resets, account verification) are sent via Maileroo, a transactional email delivery service. Only the necessary information (recipient email and message content) is processed for this purpose. Please note: There is a possibility that emails from our service may be categorized as spam by your email provider. We recommend checking your spam or junk folder and adding our email address to your contacts to ensure reliable delivery.
4. Data Retention Policy
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected.
- Account & Profile Data: Retained for the duration of your account's existence.
- User-Generated Content: Retained until you actively delete the content or your entire account.
- Server Logs: Retained for a limited period (typically up to 30 days) for security and diagnostic purposes before being purged.
- Upon account deletion, all associated personal data and content will be permanently and irreversibly removed from our production systems within a reasonable timeframe.
5. Your Rights and Data Control
Depending on your geographical location and applicable data protection laws, you have certain rights regarding your personal data. We are committed to upholding these rights for all users.
- Right to Access: You have the right to request a copy of the personal data we hold about you.
- Right to Rectification: You have the right to correct any inaccurate or incomplete personal data. This can be done via your account settings.
- Right to Erasure ('Right to be Forgotten'): You have the right to request the deletion of your account and all associated personal data.
- Right to Data Portability: You have the right to request your personal data in a structured, commonly used, and machine-readable format.
- Right to Withdraw Consent: Where we rely on consent for processing (e.g., OAuth), you have the right to withdraw that consent at any time.
To exercise any of these rights, please contact us at the email address provided in Section 10.
6. Third-Party Services (Sub-processors)
We rely on a limited number of trusted third-party services to operate the Platform. These services act as data sub-processors and only process data necessary for their function.
- Vercel (USA): Application Hosting
- Supabase (USA): Database, Authentication, and Storage
- Google & GitHub (USA): OAuth Authentication Providers
- Simple Analytics (Netherlands): Privacy-First Analytics
- Umami (USA): Privacy-First Analytics
- Maileroo (India): Email Delivery
7. International Data Transfers
The Platform is operated from India, and our sub-processors are located globally. By using the Platform, you acknowledge and agree that your personal data may be transferred to, and processed in, countries outside of your own, including the United States. We rely on the security and privacy commitments of our sub-processors, who often utilize mechanisms like Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection.
8. Children’s Privacy
Our Platform is not intended for or directed at children under the age of 13 (or a higher age threshold as required by applicable law). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete such information promptly.
9. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will notify you by updating the "Last Modified" date at the top of this policy and may provide additional notice as appropriate under the circumstances. Your continued use of the Platform after any modification constitutes your acceptance of the revised Policy.
10. Contact Information
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact the owner and data controller:
Owner of AI Cookbook
Email: mrcoder2033d@gmail.com